Configure a SAS Metadata Server for Security

When you install a Data Management Server, it is configured by default to use a SAS Metadata Server for authentication and authorization. If your site uses a DataFlux Authentication Server instead of a SAS Metadata Server, then see Configure a DataFlux Authentication Server for Security.

When you install a Data Management Server, the SAS Deployment Wizard sets the value of the configuration option BASE/AUTH_SERVER_LOC to specify the network name and port of the SAS Metadata Server. After installation, the file install-path/etc/app.cfg contains an entry that is similar to this example:

base/auth_server_loc=iom://Orion.us.southeast.omr.com:8561

The SAS Deployment Wizard also creates a metadata definition for the DataFlux Data Management Server on the SAS Metadata Server. After installation, you can see and control the DataFlux Data Management Server in SAS Management Console or in a newer administrative client.

When you use a SAS Metadata Server for security, you download the values of the following configuration options when you start the DataFlux Data Management Server: DMSERVER/SOAP/SSL, DMSERVER/SOAP/LISTEN/PORT, and DMSERVER/SECURE.

The Data Management Server uses the value of DMSERVER/NAME to query its own metadata definition on the SAS Metadata Server. If the name is valid and if the metadata definition can be accessed, then the DataFlux Data Management Server sets the local values from the supplied metadata.

To access the metadata definition, the process owner of the DataFlux Data Management Server must have a user definition on the SAS Metadata Server. Another method of enabling access is to specify Read access to the metadata definition for the PUBLIC group.

If the metadata definition cannot be accessed by the specified name, or if the name is valid and if access is denied, then the DataFlux Data Management Server does not start.

If the server starts, and if the preceding options are specified in the Data Management Server’s dmserver.cfg file, then the local values supersede the metadata values. For this reason, the preceding options should be commented-out in dmserver.cfg. This happens by default when you install the DataFlux Data Management Server with the SAS Management Server.

To change the metadata definition of the DataFlux Data Management Server, open SAS Management Console, enter administrative credentials, right-click the Data Management Server instance, and select Properties. After you save your changes, restart the DataFlux Data Management Server to download the latest configuration option values.

Because the Data Management Server cannot start unless the SAS Metadata Server is fully operational, you might want to configure a server dependency to prevent failures at invocation. To configure a server dependency, see Troubleshoot Server Start or Restart.

After you install a DataFlux Data Management Server for use with a SAS Metadata Server, you create new user and group definitions (as needed) on the SAS Metadata Server. To create users and groups on the SAS Metadata Server, see the SAS Intelligence Platform: Security Administration Guide.

You can also implement other access controls on the DataFlux Data Management Server. You can restrict server access by IP address, and you can create default access control lists with ALLOW and DENY permissions for users and groups, as described in Manage Permissions. When no default access control lists are defined, the members of the PUBLIC and USERS groups receive DENY permission.